H5SC

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2630

416

JavaScript

HTML5 Security Cheatsheet

This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:

The collection of XSS vectors can be found here: https://html5sec.org/

We published a list of files useful for XSS testing in various situations. Currently the following files are available:

Pull requests welcome, we store the files in the /attachments sub-folder.

The H5SC currently has three “hidden” features

An RSS mode to test feed readers: https://html5sec.org/rss
/rss/+/ gives a unix timestamp 300 seconds in future (for ease use)
/rss/+123/ gives a unix timestamp 123 seconds in future
/rss/1234/ will serve a minimal rss feed until unix time is 1234.
A JavaScript function to return all vectors as string, isolated and numbered: Go here and execute vectors()
All H5SC vectors in one text file for easy copy & paste
A useful search API via GET
Want all vectors related to innerHTML? Open https://html5sec.org/?innerHTML
Want to link a specific vector? Open https://html5sec.org/#123
A redirect API resolving to a URL containing XSS payload
Data URI, no special status: https://html5sec.org/r/data/
Data URI, status code 307: https://html5sec.org/r/data/307
JavaScript URI, status code 301: https://html5sec.org/r/javascript/301
Supported status codes are: 301, 302, 303, 307, 308, 999
Supported schemes are: data, javascript, jar, script (redirecting to https://html5sec.org/<script>alert(1)%3c/script>/)
More to come soon!